Ensure default Service Account is not used at organization level

Error: Default Service Account is used at organization level

Bridgecrew Policy ID: BC_GCP_IAM_8
Checkov Check ID: CKV_GCP_47
Severity: CRITICAL

Default Service Account is used at organization level

Description

A service account is a special Google account that belongs to an application or a VM, not to an individual end-user. The application uses the service account to call the service's Google API so that users are not directly involved. Service accounts represent service-level security of application or VM Resources, determined by the roles assigned to them. The use of Default service accounts should be avoided, see below for details.

We recommend you do not set IAM role bindings using the default Compute Engine and App Engine service account.

Default Compute Engine Service Account: Used by GKE, Compute, DataProc, DataFlow, Composer.
[email protected]

Default Appspot Service Account: Used by App Engine, Cloud Functions, App Engine based services.
[email protected]

Fix - Buildtime

Terraform

  • Resources:
    google_organization_iam_member
    google_organization_iam_binding
  • Argument: member
resource "google_organization_iam_member" "organization" {
  org_id = "your-org-id"
  role    = "roles/owner"
- member  = "[email protected]"
- member  = "[email protected]"
}
resource "google_organization_iam_member" "organization" {
  org_id = "your-org-id"
  role    = "roles/owner"
- members  = [
      "[email protected]",
      "[email protected]"
     ]
}

Did this page help you?